T-Mobile has warned millions of its customers that a threat actor used an Application Programming Interface (API) to gain access to some of their sensitive data.
In a warning published on the company’s website, T-Mobile tried to play down the importance of the incident, saying some “basic customer information (nearly all of which is the type widely available in marketing databases or directories)” was obtained.
The data, however, includes people’s names, billing addresses, email addresses, phone numbers, dates of birth, and account numbers, all valuable information for identity theft attacks, phishing, and similar social engineering attacks.
TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.
D. Athow, Managing Editor
Millions of victims
Passwords, payment card information, Social Security numbers, government ID numbers, as well as financial account information, remained safe, the company confirmed. It also said its investigation concluded that there was no evidence of a breach in its networks or systems.
While the warning does not say how many people were affected by the breach, and which account types were compromised, a total of 37 million customers had their data accessed, including both prepaid and postpaid customers.
The attack was taking place between November 25, 2022, and January 5, 2023. It was on January 6 that T-Mobile finally cut the threat actors’ access.
The company reported the attack to both law enforcement and federal agencies in the United States, whose investigation is now ongoing, it was said. T-Mobile also added that it started notifying customers who might have had their data compromised.
The German telecommunications giant’s track record for data breaches is far from ideal. The company’s had multiple incidents over the years, including one in 2018, one in 2019, and at least three in 2020. In 2021, it was found that the company paid hundreds of thousands of dollars to not have its sensitive data leaked to the web, which happened anyway, and a year later, in 2022, confirmed being targeted by the Lapsus$ extortion gang.
- Keep your business safe with the best endpoint protection for small business
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.